Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method for decrypting data including: maintaining a first process key table for a first process, wherein the first process key table maps keys for the first process to a set of key identifiers; maintaining a second process key table for a second process, wherein the second process key table maps different keys for the second process to the set of key identifiers; determining that the first process is in execution by a processor core; in response to determining that the first process is in execution by the processor core: loading the first process key table into an active process key table memory; receiving a first virtual memory address for first data; translating the first virtual memory address into a first physical memory address that identifies a first memory location; identifying a first key identifier of the set of key identifiers, the first key identifier encoded in at least one bit of the first physical memory address or the first virtual memory address; retrieving first encrypted data from the first memory location; identifying a first key for the first process mapped to the first key identifier in the active process key table memory; decrypting the first encrypted data using the first key to generate decrypted first data; storing the decrypted first data for access by the first process; and in response to determining that the second process is in execution by a processor core: loading the second process key table into the active process key table memory.
This invention relates to a method for decrypting data in a computing system where multiple processes share a common set of key identifiers but use different encryption keys. The problem addressed is securely managing decryption keys for different processes while minimizing memory overhead and ensuring efficient key retrieval. The method involves maintaining separate key tables for each process, where each table maps process-specific keys to a shared set of key identifiers. When a process is executing, its corresponding key table is loaded into an active memory location. Upon receiving a virtual memory address for encrypted data, the system translates it to a physical address, extracts a key identifier from the address, and uses the active key table to retrieve the appropriate decryption key. The encrypted data is then decrypted using this key and stored for the process. When another process begins execution, its key table replaces the active one, ensuring process isolation. This approach reduces memory usage by reusing key identifiers across processes while maintaining security through process-specific key mappings. The method is particularly useful in systems where multiple processes require encrypted data access but must be isolated from each other.
2. The method of claim 1 , further including: retrieving the first encrypted data from a first level cache associated with the processor core; and storing the decrypted first data in a register associated with the core.
This invention relates to data processing systems, specifically methods for handling encrypted data within a processor core. The problem addressed is the inefficiency of accessing and decrypting data stored in encrypted form, particularly when the data is frequently reused. The invention improves performance by reducing the overhead of repeated decryption operations for frequently accessed encrypted data. The method involves retrieving encrypted data from a first-level cache associated with the processor core. The encrypted data is then decrypted and stored in a register associated with the core. This allows the decrypted data to be quickly reused without requiring repeated decryption operations. The method may also include retrieving the encrypted data from a second-level cache if it is not found in the first-level cache, and decrypting the data before storing it in the first-level cache. The decrypted data in the register can be used for subsequent operations, such as arithmetic or logical computations, without further decryption. This approach minimizes latency and improves processing efficiency by leveraging cache hierarchy and register storage for frequently accessed encrypted data.
3. The method of claim 1 , further including: retrieving the first encrypted data from a mid level cache associated with the processor core; and storing the decrypted first data in a first level cache associated with the processor core.
This invention relates to a method for optimizing data access in a multi-level cache architecture within a processor core. The problem addressed is the inefficiency in data retrieval and decryption processes, particularly when encrypted data must be fetched from higher-level caches or memory, leading to performance bottlenecks. The method involves retrieving encrypted data from a mid-level cache associated with the processor core, decrypting the data, and then storing the decrypted data in a first-level cache. This approach reduces latency by minimizing the need to repeatedly decrypt the same data when accessed multiple times. The decryption process is performed before storing the data in the first-level cache, ensuring that subsequent accesses to the same data can be served directly from the faster first-level cache without additional decryption overhead. The method may also include retrieving the encrypted data from a higher-level cache or main memory if it is not found in the mid-level cache. The decryption process is performed by a decryption unit within the processor core, which may use hardware acceleration to improve performance. The first-level cache is optimized for low-latency access, making it ideal for storing frequently accessed decrypted data. This technique improves overall system performance by reducing the time spent on decryption and data retrieval operations.
4. The method of claim 1 , further including: in response to determining that the second process is in execution by a processor core: storing the first process key table in a first process state memory; receiving a second virtual memory address for second data; translating the second virtual memory address into a second physical memory address that identifies a second memory location; identifying the first key identifier of the set of key identifiers encoded in at least one bit of the second physical memory address or the second virtual memory address; retrieving second encrypted data from the second memory location; identifying a second key for the second process mapped to the first key identifier in the active process key table memory; decrypting the second data using the second key to generate decrypted second data; and storing the decrypted second data for access by the second process.
This invention relates to secure memory access in a computing system where multiple processes execute on processor cores, each process using different cryptographic keys for data encryption and decryption. The problem addressed is ensuring secure and efficient access to encrypted data when switching between processes, preventing unauthorized access to data belonging to other processes. The system includes a memory controller that manages encrypted data storage and retrieval. When a second process begins execution on a processor core, the memory controller stores the first process's key table in a dedicated process state memory. The key table maps key identifiers to cryptographic keys used by the process. When the second process requests data, the memory controller receives a virtual memory address, translates it to a physical memory address, and extracts a key identifier encoded in the address. The controller then retrieves encrypted data from the identified memory location, looks up the corresponding key in the second process's active key table, decrypts the data using that key, and provides the decrypted data to the second process. This ensures that each process only accesses data encrypted with its own keys, maintaining isolation between processes. The system dynamically manages key tables and address translation to support secure multi-process execution.
5. The method of claim 4 , further including encrypting the first process key table prior to storing the first process key table in the first process state memory.
This invention relates to secure data processing systems, specifically methods for managing process key tables in a computing environment to enhance security and integrity. The problem addressed is the vulnerability of process key tables, which are critical for secure operations, when stored in memory without adequate protection. Unauthorized access or tampering with these tables can compromise system security, leading to data breaches or unauthorized execution of processes. The invention describes a method for securely managing process key tables in a computing system. A first process key table is generated, containing cryptographic keys or other sensitive data required for secure operations. Before storing this table in a first process state memory, the table is encrypted to prevent unauthorized access. The encryption ensures that even if the memory is compromised, the contents of the key table remain protected. The system may also include a second process key table stored in a second process state memory, which may be encrypted similarly. The method ensures that only authorized processes can access and use the key tables, maintaining the integrity and confidentiality of the system's cryptographic operations. This approach is particularly useful in environments where multiple processes share memory resources but require isolation for security reasons.
6. The method of claim 1 , further including with an I/O circuit for the processor core: maintaining a copy of the first process key table and the second process key table; receiving, from a third process, a request for third data stored at a third physical memory address identifying a third memory location associated with the first process; identifying a key identifier encoded in a bit of the third physical memory address; identifying a key mapped to the key identifier in the copy of the first process key table; retrieving third encrypted data from the third memory location; decrypting the third encrypted data with the key to generate decrypted third data; and storing the decrypted third data for access by the third process.
This invention relates to secure memory access in a computing system, specifically addressing the challenge of efficiently managing encrypted data across multiple processes while maintaining security and performance. The system includes a processor core with an input/output (I/O) circuit that handles memory access requests from different processes. The I/O circuit maintains copies of two process key tables, which map key identifiers to cryptographic keys used to encrypt and decrypt data. When a third process requests data stored at a physical memory address, the I/O circuit checks the address for an encoded key identifier. This identifier is used to locate the corresponding key in the first process's key table. The system then retrieves the encrypted data from the specified memory location, decrypts it using the identified key, and provides the decrypted data to the requesting process. This approach ensures that processes can securely access encrypted data without exposing keys directly, improving both security and performance by avoiding repeated key lookups or decryption operations. The method is particularly useful in multi-process environments where secure data sharing is required, such as in virtualized or multi-tenant systems.
7. A per-process memory encryption system, including, in each core of a multi-core processor: at least one translation lookaside buffer (TLB) configured to map virtual memory addresses to physical addresses, wherein the TLB is configured to encode key identifiers for keys in one or more bits of either a virtual memory address or a physical address in the TLB; process state memory configured to store a first process key table for a first process that maps key identifiers to unique keys and a second process key table for a second process that maps the key identifiers to different unique keys; and active process key table memory configured to store an active key table corresponding to the first process key table when the first process is active and the second process key table when the second process is active; wherein in response to a request for data corresponding to a virtual memory address, the at least one TLB is configured to provide a key identifier encoded in the virtual memory address or physical address in the TLB for the data to the active process key table memory to cause the active process key table memory to return the unique key mapped to the key identifier.
A per-process memory encryption system is designed to enhance security in multi-core processors by encrypting memory on a per-process basis. The system addresses the challenge of protecting sensitive data from unauthorized access, particularly in shared memory environments where multiple processes execute concurrently. Each core of the multi-core processor includes a translation lookaside buffer (TLB) that maps virtual memory addresses to physical addresses. The TLB is configured to encode key identifiers within one or more bits of either the virtual or physical address. These key identifiers are used to retrieve encryption keys specific to each process. The system includes process state memory that stores separate key tables for different processes. Each key table maps key identifiers to unique encryption keys, ensuring that each process has distinct keys. Additionally, active process key table memory holds the key table corresponding to the currently active process. When a request for data is made using a virtual memory address, the TLB provides the encoded key identifier to the active process key table memory. This triggers the retrieval of the unique key mapped to the identifier, enabling secure encryption or decryption of the requested data. The system dynamically switches between key tables as processes switch, maintaining isolation and security for each process's memory. This approach ensures that memory encryption is process-specific, preventing unauthorized access to data from other processes.
8. The per-process memory encryption system of claim 7 , further including: load/swap circuitry configured to, when the first process is active: identify that the second process is being loaded for execution; in response, store the first process key table in the process state memory; and store the second process key table in the active process key table memory.
The invention relates to a per-process memory encryption system designed to enhance security by encrypting memory contents on a per-process basis. The system addresses the challenge of protecting sensitive data in memory from unauthorized access, particularly in multi-process environments where different processes may have varying security requirements. Traditional memory encryption systems often encrypt all memory uniformly, which can be inefficient and may not provide fine-grained security controls. The system includes a process state memory and an active process key table memory. The process state memory stores key tables for inactive processes, while the active process key table memory holds the key table for the currently executing process. Each process has its own unique key table, which contains encryption keys used to encrypt and decrypt the process's memory contents. When a process is active, its key table is loaded into the active process key table memory, allowing the system to encrypt and decrypt memory accesses for that process using the appropriate keys. The system further includes load/swap circuitry that manages the transition between processes. When a first process is active and a second process is being loaded for execution, the circuitry identifies this event and stores the first process's key table in the process state memory. Simultaneously, it loads the second process's key table into the active process key table memory, ensuring that the correct encryption keys are used for the newly active process. This mechanism ensures seamless and secure transitions between processes, maintaining the integrity and confidentiality of each process's memory contents. The system thus provides a scalable and efficient solution for per-process memory encryption in
9. The per-process memory encryption system of claim 8 , wherein the load/swap circuitry is configured to encrypt the first process key table prior to storage of the first process key table in process state memory.
This invention relates to per-process memory encryption systems designed to enhance security in computing environments by encrypting process-specific memory contents. The system addresses the problem of unauthorized access to sensitive data stored in memory, particularly during process execution or when processes are swapped in and out of memory. The invention ensures that process-specific memory contents remain encrypted when stored in process state memory, preventing exposure of decrypted data to potential attackers. The system includes load/swap circuitry that manages the encryption and decryption of process key tables, which are used to encrypt and decrypt memory pages associated with individual processes. When a process is swapped out of memory, the load/swap circuitry encrypts the process key table before storing it in process state memory. This ensures that even if an attacker gains access to the process state memory, the encrypted key table cannot be used to decrypt the process's memory pages without the correct decryption key. The system also includes a memory management unit (MMU) that enforces access control policies, ensuring that only authorized processes can access their respective encrypted memory pages. The MMU uses the process key table to determine the appropriate encryption keys for each memory access request, dynamically decrypting data as needed for authorized processes while keeping it encrypted for unauthorized access attempts. This approach provides fine-grained security at the process level, mitigating risks associated with memory-based attacks.
10. The per-process memory encryption system of claim 9 , wherein the load/swap circuitry is configured to generate a third process key table for a new third process.
The invention relates to a per-process memory encryption system designed to enhance data security by encrypting memory contents on a per-process basis. The system addresses the problem of unauthorized access to sensitive data stored in memory, particularly in multi-process environments where different processes may share the same physical memory space. By encrypting memory contents with unique keys for each process, the system ensures that even if one process is compromised, the data of other processes remains protected. The system includes load/swap circuitry that manages the encryption and decryption of memory contents as processes are loaded, swapped, or executed. This circuitry dynamically generates and assigns process-specific encryption keys to ensure that each process operates with its own unique key. For a new third process, the load/swap circuitry generates a third process key table, which contains the encryption key and related metadata required to encrypt and decrypt the memory contents associated with that process. This key table is used to securely manage the encryption keys for the third process, ensuring that its memory contents are isolated from other processes. The system also includes a memory controller that enforces access control policies, allowing only authorized processes to access their respective encrypted memory regions. The overall architecture ensures that memory encryption is transparent to the processes, maintaining performance while enhancing security.
11. The per-process memory encryption system of claim 10 , wherein the load/swap circuitry is configured to generate random keys for the third process key table.
A per-process memory encryption system encrypts memory pages assigned to different processes using unique cryptographic keys. The system includes a memory controller with load/swap circuitry that manages encryption keys for processes. The load/swap circuitry generates random keys for a third process key table, which stores encryption keys for a specific process. The system ensures that each process operates with its own dedicated encryption keys, preventing unauthorized access to memory pages of other processes. The load/swap circuitry dynamically assigns and manages these keys, ensuring secure memory access while maintaining performance. The system is designed to protect sensitive data in multi-process environments, such as operating systems or virtualized environments, where multiple processes share physical memory resources. The random key generation for the third process key table enhances security by preventing key reuse and reducing the risk of cryptographic attacks. The memory controller enforces access control policies, ensuring that only authorized processes can decrypt their assigned memory pages. This approach improves security without requiring significant modifications to existing hardware or software architectures.
12. The per-process memory encryption system of claim 10 , wherein the load/swap circuitry is configured to obtain keys for the third process key table from a secure context.
The invention relates to a per-process memory encryption system designed to enhance data security by encrypting memory contents on a per-process basis. The system addresses the challenge of protecting sensitive data in memory from unauthorized access, particularly in multi-process environments where different processes may require distinct security levels. The system includes a memory encryption engine that encrypts and decrypts memory contents using process-specific keys, ensuring that each process's data remains isolated and secure. A load/swap circuitry dynamically manages these keys, allowing the system to switch between different encryption keys as processes are loaded or swapped in and out of memory. This dynamic key management ensures that only the currently active process has access to its corresponding decryption keys, preventing other processes from accessing encrypted data. The load/swap circuitry is configured to obtain keys for a third process key table from a secure context, such as a hardware security module or trusted execution environment, ensuring that the keys are stored and retrieved in a tamper-resistant manner. This secure key retrieval mechanism further strengthens the system's resistance to attacks aimed at compromising memory encryption keys. The system is particularly useful in environments where multiple processes with varying security requirements coexist, such as cloud computing, virtualized systems, or secure multi-party computation scenarios.
13. The per-process memory encryption system of claim 10 , wherein the load/swap circuitry is configured to obtain keys for the third process key table from a virtual machine manager.
The invention relates to a per-process memory encryption system designed to enhance data security in computing environments by encrypting memory contents on a per-process basis. The system addresses the challenge of protecting sensitive data from unauthorized access, particularly in shared or virtualized computing environments where multiple processes may coexist. Traditional memory encryption methods often apply a single encryption key across all processes, which can be inefficient and may not provide adequate isolation between processes. The system includes a memory encryption engine that encrypts and decrypts memory contents using process-specific encryption keys. A load/swap circuitry dynamically manages these keys by obtaining them from a virtual machine manager (VMM) for a third process key table. This ensures that each process has its own unique encryption key, preventing unauthorized access to memory contents even if one process is compromised. The load/swap circuitry is responsible for loading and swapping these keys as processes are scheduled or context-switched, ensuring seamless and secure memory access. The VMM acts as a trusted source for distributing these keys, maintaining the integrity and security of the encryption process. This approach enhances security by isolating memory contents at the process level, reducing the risk of data breaches in multi-process or virtualized environments.
14. The per-process memory encryption system of claim 8 , wherein the TLB is associated with an execution unit.
The invention relates to a per-process memory encryption system designed to enhance data security by encrypting memory contents on a per-process basis. The system addresses the challenge of protecting sensitive data from unauthorized access, particularly in multi-process environments where different processes may share the same physical memory space. By encrypting memory contents at the process level, the system ensures that data remains secure even if an attacker gains access to the physical memory. The system includes a translation lookaside buffer (TLB) that is associated with an execution unit. The TLB is a hardware component that caches virtual-to-physical memory address translations to speed up memory access. In this system, the TLB is configured to handle encrypted memory addresses, ensuring that only the correct process can access its encrypted data. The execution unit, which processes instructions and data, works in conjunction with the TLB to decrypt memory contents as needed, maintaining performance while ensuring security. The per-process memory encryption system dynamically manages encryption keys, associating each process with a unique key. When a process accesses memory, the system uses the corresponding key to encrypt or decrypt the data, preventing other processes from accessing the encrypted data. This approach provides fine-grained control over memory encryption, reducing the risk of data leaks and unauthorized access. The system is particularly useful in environments where multiple processes run concurrently, such as in cloud computing, virtualization, and secure multi-tenancy systems.
15. The per-process memory encryption system of claim 8 , wherein the TLB is associated with a first level cache of the core.
A per-process memory encryption system is designed to enhance data security in computing systems by encrypting memory contents on a per-process basis. This approach prevents unauthorized access to sensitive data by ensuring that each process operates with its own encrypted memory space. The system includes a translation lookaside buffer (TLB) that is associated with a first-level cache of a processor core. The TLB accelerates virtual-to-physical address translations, which are essential for accessing encrypted memory efficiently. By integrating the TLB with the first-level cache, the system reduces latency in memory access operations, improving performance while maintaining security. The encryption keys used for each process are managed separately, ensuring that decrypted data is only accessible to the intended process. This design is particularly useful in multi-user or multi-application environments where data isolation and protection are critical. The system may also include mechanisms to dynamically update encryption keys or handle context switches between processes without compromising security or performance. Overall, the invention provides a balance between secure memory encryption and efficient processing, addressing the challenge of protecting sensitive data in modern computing environments.
16. A per-process memory encryption system, including, in each hardware thread of a core: at least one translation lookaside buffer (TLB) configured to map virtual memory addresses to physical addresses, wherein the TLB is configured to encode key identifiers for keys in one or more bits of either a virtual memory address or a physical address in the TLB; process state memory configured to store a first process key table for a first process that maps key identifiers to unique keys and a second process key table for a second process that maps the key identifiers to different unique keys; and active process key table memory configured to store an active key table corresponding to the first process key table when the first process is active and the second process key table when the second process is active; wherein in response to a request for data corresponding to a virtual memory address, the at least one TLB is configured to provide a key identifier encoded in the virtual memory address or physical address in the TLB for the data to the active process key table memory to cause the active process key table memory to return the unique key mapped to the key identifier.
A per-process memory encryption system enhances security by encrypting memory on a per-process basis. The system addresses the challenge of protecting sensitive data from unauthorized access, including attacks such as cold-boot attacks or physical memory probing. Each hardware thread in a processor core includes a translation lookaside buffer (TLB) that maps virtual memory addresses to physical addresses. The TLB encodes key identifiers in one or more bits of either the virtual or physical address, allowing the system to associate encryption keys with specific memory regions. The system maintains separate process key tables for different processes, where each table maps key identifiers to unique encryption keys. When a process is active, its corresponding key table is loaded into active process key table memory. During memory access, the TLB provides the key identifier from the address to the active key table, which returns the appropriate encryption key for decrypting the requested data. This ensures that each process uses its own unique keys, preventing one process from accessing another's encrypted memory. The system dynamically switches key tables as processes switch, maintaining security without requiring software intervention.
17. The per-process memory encryption system of claim 16 , further including: load/swap circuitry configured to, when the first process is active: identify that the second process is being loaded for execution; in response, store the first process key table in the process state memory; and store the second process key table in the active process key table memory.
This invention relates to a per-process memory encryption system designed to enhance security in computing environments by encrypting memory contents on a per-process basis. The system addresses the challenge of protecting sensitive data from unauthorized access, particularly in multi-process environments where different processes may require different encryption keys. The system ensures that each process operates with its own dedicated encryption key, preventing one process from accessing another's encrypted data. The system includes a process state memory for storing process key tables when processes are inactive and an active process key table memory for storing the key table of the currently executing process. When a first process is active and a second process is loaded for execution, the system automatically stores the first process's key table in the process state memory and loads the second process's key table into the active process key table memory. This ensures seamless switching between processes while maintaining secure memory encryption. The system also includes a key table manager that generates and manages encryption keys for each process, ensuring that keys are unique and properly assigned. The encryption engine uses these keys to encrypt and decrypt memory contents as processes execute, providing real-time protection. The system further includes a memory controller that coordinates access to encrypted memory, ensuring that only the active process can access its own encrypted data. This approach prevents unauthorized access and enhances overall system security.
18. The per-process memory encryption system of claim 17 , wherein the load/swap circuitry is configured to encrypt the first process key table prior to storage of the first process key table in process state memory.
The invention relates to a per-process memory encryption system designed to enhance data security in computing environments by encrypting memory contents on a per-process basis. The system addresses the problem of unauthorized access to sensitive data stored in memory, particularly during process execution or when processes are swapped out to disk. Traditional memory encryption systems often encrypt entire memory regions or use a single encryption key for all processes, which can be inefficient and may not provide sufficient isolation between processes. The system includes load/swap circuitry that manages the encryption and decryption of process-specific key tables. These key tables contain encryption keys used to secure the memory pages of individual processes. When a process is swapped out of memory or otherwise stored, the load/swap circuitry encrypts the process's key table before storing it in process state memory. This ensures that even if an attacker gains access to the stored process state, the encryption keys themselves remain protected. The system also includes a memory management unit (MMU) that enforces access control policies, ensuring that only authorized processes can access their respective encrypted memory regions. The MMU may use the encrypted key tables to dynamically derive encryption keys for memory pages, further enhancing security. The system may also include a key management unit (KMU) that generates, distributes, and revokes encryption keys as needed, ensuring that keys are securely managed throughout their lifecycle. By encrypting process key tables before storage, the system prevents attackers from extracting sensitive keys and compromising process memory.
19. The per-process memory encryption system of claim 16 , wherein data in a cache shared by multiple hardware threads is tagged with a key identifier and a hardware-thread identifier.
A per-process memory encryption system encrypts and decrypts data on a per-process basis to enhance security in multi-threaded computing environments. The system addresses the challenge of protecting sensitive data from unauthorized access, particularly in shared memory architectures where multiple hardware threads may execute concurrently. The system ensures that each process's data remains isolated and encrypted, even when stored in shared caches. In this system, data stored in a cache shared by multiple hardware threads is tagged with both a key identifier and a hardware-thread identifier. The key identifier associates the data with a specific encryption key, ensuring that only the authorized process can decrypt the data. The hardware-thread identifier further distinguishes data belonging to different threads within the same process, preventing unintended access or interference between threads. This tagging mechanism enables efficient and secure data management in shared cache environments, where multiple threads may access the cache simultaneously. The system dynamically applies the appropriate encryption key based on the key identifier and hardware-thread identifier, ensuring that data remains encrypted when stored in the cache and decrypted only when accessed by the correct thread. This approach enhances security while maintaining performance in multi-threaded systems.
20. The per-process memory encryption system of claim 16 , wherein the TLB is associated with an execution unit.
A per-process memory encryption system encrypts and decrypts memory pages on a per-process basis to enhance security. The system includes a translation lookaside buffer (TLB) that stores virtual-to-physical address mappings and encryption metadata for memory pages. The TLB is associated with an execution unit, which processes instructions and accesses memory. When a process requests access to a memory page, the TLB provides the corresponding physical address and encryption metadata. The execution unit then uses this metadata to decrypt the page before processing or encrypt it before storage. This ensures that only the authorized process can access its encrypted memory pages, preventing unauthorized access even if the physical memory is compromised. The system dynamically manages encryption keys per process, ensuring that each process operates in an isolated, secure memory space. This approach mitigates risks such as cold-boot attacks and memory snooping, where an attacker might extract sensitive data from memory. The TLB's association with the execution unit optimizes performance by reducing the overhead of encryption and decryption operations, as the execution unit can directly access the necessary metadata without additional lookups. The system is particularly useful in multi-tenant environments, such as cloud computing, where multiple processes must coexist securely on the same hardware.
21. The per-process memory encryption system of claim 16 , wherein the TLB is associated with a first level cache of the core.
A per-process memory encryption system is designed to enhance security by encrypting memory contents on a per-process basis, preventing unauthorized access to sensitive data. The system includes a translation lookaside buffer (TLB) that is associated with a first-level cache of a processor core. The TLB stores virtual-to-physical address translations, which are used to access encrypted memory pages. When a process accesses memory, the TLB provides the corresponding physical address, and the system decrypts the data before delivering it to the cache. This ensures that only the authorized process can access its encrypted memory contents, while other processes cannot decrypt or access the data. The first-level cache association with the TLB optimizes performance by reducing latency in address translation and data retrieval. The system may also include mechanisms to manage encryption keys per process, ensuring that each process has its unique key for encryption and decryption. This approach enhances security by isolating memory access at the hardware level, preventing attacks such as cold-boot attacks or memory snooping. The system is particularly useful in multi-tenant environments, such as cloud computing or virtualized systems, where multiple processes or virtual machines share the same physical hardware.
Unknown
December 22, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.